Archive

Today, I was looking for a small tool to display interface usage on Solaris, I tried first iftop. However, after spent few hours to try to build it (including ncurses, libpcap) I finally got a binary, but it’s not working! After google for few minutes, I found Bandwitdth monitor NG. It’s a very simple software, which uses only few libraries, and works like a charm!

After few weeks trying to persuade my boss to buy Splunk, I start to put it in production. My first goal was to clone the search application’s dashboard using a dedicated index. Indeed, I have few splunks agent reading some tomcat’s logs and forward them to my splunk instance. All these logs are going to a dedicated index, named rtlnet. Our webdeveloppers want to use splunk to see the production’s logs. While it was easy to create the rtlnet index, I wanted to clone the search’s dashboard to give them an overview of logs by application, or by host. However, while it was easy to add index=rtlnet in the metadata search, I was not able to add the index in the search computed when you click on a result (for example the sourcetype).

As I said, adding index=rtlnet in the metadata search is trivial. However, when a user click on a result (in that case on a source), the computed search was only source=$target so there was no result, since it the index is not specified. After spending few hours trying to understand how to add the index in the existing intention, I finally understood I need to nest it into a new HiddenIntention. Here the new module definition:

Here a rsyslog snippet to create a file by day, by device. Indeed, the %now variable take a value like 2010-05-24. Note that HOSTNAME will be replace by the hostname send by the syslog client. If you want to use IP, you can use %fromhost-ip%, and if you want the DNS name resoved by the rsyslog server, use %fromhost%.